[Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Kevin Darbyshire-Bryant]

On 11/04/2015 17:49, Dave Taht wrote:
> Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
> with suitable handling for DNSSEC.   Certainly I've DNSSEC enabled and
> can browse the site you mention without obvious problem.
> I stand corrected.
>
> I still would really like people to pound dnsmasq flat with
> namebench or other dns stress tests (anyone know of any? dig in a loop
> would also help), using a native ipv6 dns server upstream. It used to
> take days to trigger the bug. It may only happen on networks that have
> issues with edns0.
>
>> The automatic determination of 'valid current time' and hence checking
>> signature timestamps has an issue:  The startup script uses 'touch -t
>> 1970epoch timestampfile' to pre-create a timestamp file which slightly
>> defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
>> invalid option.
> Well, it was a more elegant solution that dnsmasq ultimately came up
> with than what was in cerowrt, and I figure that single character fix
> is a single bug report to openwrt and patch away... if someone else
> not getting on a plane makes it.

I shall log a ticket within 48 hours, (if it doesn't get spotted and
squashed by someone else)  It's not just a case of not using '-t' but
rather of not trying to defeat the internal dnsmasq logic whilst fitting
in with the requirement of being able to create a file as 'nobody' in a
directory with a) suitable permissions and b) survives reboots, and
dealing with the new secure computing changes related to procd walled
gardens.  There are a few things pulling in opposite directions most of
which I've no clue :-)

Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20150411/532f9c30/attachment-0002.bin>